-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set notBefore/notAfter to the beginning of the year to issuing certificate (v2) #550
Conversation
This modification adds "nodatetime" argument to build-client-full and build-server-full which issues the certificate with notBefore and notAfter date set to 1 Jan, with difference in the year only. It could be useful for a VPN service to prevent client and server certificate generation date and time disclosure.
|
@ValdikSS I appreciate the work you have done here. The problem is, I think setting the CA creation date as the certificate expiration date is not such a good idea. Sorry for that suggestion. I would prefer this to work like so:
How does that sound ? Edit: This is not right either .. |
Your goal is to set certificate dates notBefore and notAfter to a preset date. To hide the real generation date. Setting the notBefore date to 01/01/YYYY is good. Therefore, notAfter =
Note 1:
How does that sound ? |
I have a patch, which fixes your patch. I can merge this as-is and fix 🍰 🍻 or you can fix this. 🔥 🎱 |
The initial idea was to mask the actual certificate creation date. The reason was to further anonymise user certificates. (YMMV) There is now a second part to this date "fixing": * This allows for all certificates to expire on the same day. Using command option '--fix-offset=nnn', all certificates will be created * with a 'notBefore' date of January 1st of the current year. * with a 'notAfter' date of the day-of-year number from '--fix-offset', in the final year, as per EASYRSA_CERT_EXPIRE (Default 825 days). The default 825 days results in 2 years plus the offset given. This can also be set in the 'vars' file, for convenience. The default day-of-year offered is 183; either July 2 or 3 (leap year). Follow-up to: #550 (Replaces 'nodatetime' with '--fix-offset') Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Your modifications LGTM, thanks. |
This patch adds
nodatetime
option tobuild-client-full
andbuild-server-full
commands which generates certificates with "notBefore" set to the beginning of the year (01 January 00:00:00) and "notAfter" to the day of which CA certificate is issued, with the difference only in year.It could be useful for a VPN service to prevent client and server certificate generation date and time disclosure.